Created attachment 1715250 [details] toolbox enter -vvv Description of problem: running toolbox under fc33 get fail [martin@localhost ~]$ toolbox rm --force Error: failed to get the Podman version Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1.toolbox create 2.toolbox enter 3.get fail Actual results: Error: failed to start container fedora-toolbox-33 Additional info:
$ toolbox create Created container: fedora-toolbox-33 Enter with: toolbox enter $ toolbox enter Error: failed to start container fedora-toolbox-33 Attaching log of debug output.
Note; this is a freshly installed Fedora 33 beta, updated to the latest packages with dnf update.
Could you please try: $ podman start --attach fedora-toolbox-33
$ podman start --attach fedora-toolbox-33 Error: unable to start container 8f5c99debf5591fe5763659bae0ca930b2cd52702678cebf6cd6c82f98212858: open /proc/sys/net/ipv4/ping_group_range: Permission denied: OCI runtime permission denied error
I see the same with fresh F33+ WS installs. Also with toolbox-0.0.96-1.fc34
[martin@localhost ~]$ podman start --attach fedora-toolbox-33 Error: unable to start container e087d5cf66c87ec67772821db7a5ef2af13e3b415879085a8492bf0010c9d70c: open /proc/sys/net/ipv4/ping_group_range: Permission denied: OCI runtime permission denied error
Looking at the ping_group_range in context, I found something specific to that here: https://github.com/containers/podman/blob/master/troubleshooting.md But even after fiddling about with some various values, nothing seemed to help. It did seem to have very sane values to begin with but I tried anyway. I might be missing something, or toolbox might have some independent settings somehow, I am not very familiar with toolbox, I've always used podman directly.
I try this toolbox reset export DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$(id -u)/bus toolbox enter and then works ok
sorry I update to podman-2.2.0-0.18.dev.git14fd7b4,this version works
It's this Podman bug: https://github.com/containers/podman/issues/7766
*** Bug 1884675 has been marked as a duplicate of this bug. ***
i've added this bug to https://bodhi.fedoraproject.org/updates/FEDORA-2020-7b6058fec9 but the bodhi bug addition feature is acting all weird when I edit bodhi update. I dunno, but PTAL.
FEDORA-2020-7b6058fec9 has been pushed to the Fedora 33 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-7b6058fec9` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-7b6058fec9 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
I've updated today, cleaned up all podman pods and images, did toolbox reset, toolbox create, toolbox enter.. Same error. podman-2.1.1-9 and podman-plugins-2.1.1-9 as well as toolbox-0.0.96-1 updated today, along with some other packages.
Same problem on fedora-33 Workstation beta installed from Fedora-Everything-netinst-x86_64-33-20200929.n.0.iso I got it working by installing podman-2.2.0-0.20.dev.git7c12967.fc34.x86_64.rpm I have included some logs for podman 2.1.1-9 and also I have some questions after the below logs [gana@antares ~]$ toolbox create --container testtbox -vvv ... ... Created container: testtbox Enter with: toolbox enter testtbox [gana@antares ~]$ [gana@antares ~]$ toolbox enter testtbox -vvvv DEBU Running as real user ID 1000 DEBU Resolved absolute path to the executable as /usr/bin/toolbox DEBU Running on a cgroups v2 host DEBU Checking if /etc/subgid and /etc/subuid have entries for user gana DEBU TOOLBOX_PATH is /usr/bin/toolbox DEBU Toolbox config directory is /home/gana/.config/toolbox INFO[0000] podman filtering at log level debug DEBU[0000] Called version.PersistentPreRunE(podman --log-level debug version --format json) DEBU[0000] Reading configuration file "/usr/share/containers/containers.conf" DEBU[0000] Merged system config "/usr/share/containers/containers.conf": &{Containers:{Devices:[] Volumes:[] ApparmorProfile:containers-default-0.22.0 Annotations:[] CgroupNS:private Cgroups:enabled DefaultCapabilities:[AUDIT_WRITE CHOWN DAC_OVERRIDE FOWNER FSETID KILL NET_BIND_SERVICE SETFCAP SETGID SETPCAP SETUID SYS_CHROOT] DefaultSysctls:[net.ipv4.ping_group_range=0 1] DefaultUlimits:[] DefaultMountsFile: DNSServers:[] DNSOptions:[] DNSSearches:[] EnableLabeling:true Env:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin TERM=xterm] EnvHost:false HTTPProxy:false Init:false InitPath: IPCNS:private LogDriver:k8s-file LogSizeMax:-1 NetNS:slirp4netns NoHosts:false PidsLimit:2048 PidNS:private SeccompProfile:/usr/share/containers/seccomp.json ShmSize:65536k TZ: Umask:0022 UTSNS:private UserNS:host UserNSSize:65536} Engine:{CgroupCheck:false CgroupManager:systemd ConmonEnvVars:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] ConmonPath:[/usr/libexec/podman/conmon /usr/local/libexec/podman/conmon /usr/local/lib/podman/conmon /usr/bin/conmon /usr/sbin/conmon /usr/local/bin/conmon /usr/local/sbin/conmon /run/current-system/sw/bin/conmon] DetachKeys:ctrl-p,ctrl-q EnablePortReservation:true Env:[] EventsLogFilePath:/run/user/1000/libpod/tmp/events/events.log EventsLogger:journald HooksDir:[/usr/share/containers/oci/hooks.d] ImageDefaultTransport:docker:// InfraCommand:/pause InfraImage:k8s.gcr.io/pause:3.2 InitPath:/usr/libexec/podman/catatonit LockType:shm MultiImageArchive:false Namespace: NetworkCmdPath: NoPivotRoot:false NumLocks:2048 OCIRuntime:crun OCIRuntimes:map[crun:[/usr/bin/crun /usr/sbin/crun /usr/local/bin/crun /usr/local/sbin/crun /sbin/crun /bin/crun /run/current-system/sw/bin/crun] kata:[/usr/bin/kata-runtime /usr/sbin/kata-runtime /usr/local/bin/kata-runtime /usr/local/sbin/kata-runtime /sbin/kata-runtime /bin/kata-runtime /usr/bin/kata-qemu /usr/bin/kata-fc] runc:[/usr/bin/runc /usr/sbin/runc /usr/local/bin/runc /usr/local/sbin/runc /sbin/runc /bin/runc /usr/lib/cri-o-runc/sbin/runc /run/current-system/sw/bin/runc]] PullPolicy:missing Remote:false RemoteURI: RemoteIdentity: ActiveService: ServiceDestinations:map[] RuntimePath:[] RuntimeSupportsJSON:[crun runc] RuntimeSupportsNoCgroups:[crun] RuntimeSupportsKVM:[kata kata-runtime kata-qemu kata-fc] SetOptions:{StorageConfigRunRootSet:false StorageConfigGraphRootSet:false StorageConfigGraphDriverNameSet:false StaticDirSet:false VolumePathSet:false TmpDirSet:false} SignaturePolicyPath:/etc/containers/policy.json SDNotify:false StateType:3 StaticDir:/home/gana/.local/share/containers/storage/libpod StopTimeout:10 TmpDir:/run/user/1000/libpod/tmp VolumePath:/home/gana/.local/share/containers/storage/volumes} Network:{CNIPluginDirs:[/usr/libexec/cni /usr/lib/cni /usr/local/lib/cni /opt/cni/bin] DefaultNetwork:podman NetworkConfigDir:/home/gana/.config/cni/net.d}} DEBU[0000] Using conmon: "/usr/bin/conmon" DEBU[0000] Initializing boltdb state at /home/gana/.local/share/containers/storage/libpod/bolt_state.db DEBU[0000] Using graph driver overlay DEBU[0000] Using graph root /home/gana/.local/share/containers/storage DEBU[0000] Using run root /run/user/1000/containers DEBU[0000] Using static dir /home/gana/.local/share/containers/storage/libpod DEBU[0000] Using tmp dir /run/user/1000/libpod/tmp DEBU[0000] Using volume path /home/gana/.local/share/containers/storage/volumes DEBU[0000] Set libpod namespace to "" DEBU[0000] [graphdriver] trying provided driver "overlay" DEBU[0000] overlay: mount_program=/usr/bin/fuse-overlayfs DEBU[0000] backingFs=btrfs, projectQuotaSupported=false, useNativeDiff=false, usingMetacopy=false DEBU[0000] Initializing event backend journald DEBU[0000] using runtime "/usr/bin/runc" DEBU[0000] using runtime "/usr/bin/crun" DEBU[0000] using runtime "/usr/bin/kata-runtime" INFO[0000] Setting parallel job count to 7 DEBU[0000] Called version.PersistentPostRunE(podman --log-level debug version --format json) DEBU Current Podman version is 2.1.1 DEBU Old Podman version is 2.2.0-dev DEBU Migration not needed: Podman version 2.1.1 is old DEBU Resolving container and image names DEBU Container: 'testtbox' DEBU Image: '' DEBU Release: '' DEBU Resolved container and image names DEBU Container: 'testtbox' DEBU Image: 'fedora-toolbox:33' DEBU Release: '33' DEBU Checking if container testtbox exists INFO[0000] podman filtering at log level debug DEBU[0000] Called exists.PersistentPreRunE(podman --log-level debug container exists testtbox) DEBU[0000] Reading configuration file "/usr/share/containers/containers.conf" DEBU[0000] Merged system config "/usr/share/containers/containers.conf": &{Containers:{Devices:[] Volumes:[] ApparmorProfile:containers-default-0.22.0 Annotations:[] CgroupNS:private Cgroups:enabled DefaultCapabilities:[AUDIT_WRITE CHOWN DAC_OVERRIDE FOWNER FSETID KILL NET_BIND_SERVICE SETFCAP SETGID SETPCAP SETUID SYS_CHROOT] DefaultSysctls:[net.ipv4.ping_group_range=0 1] DefaultUlimits:[] DefaultMountsFile: DNSServers:[] DNSOptions:[] DNSSearches:[] EnableLabeling:true Env:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin TERM=xterm] EnvHost:false HTTPProxy:false Init:false InitPath: IPCNS:private LogDriver:k8s-file LogSizeMax:-1 NetNS:slirp4netns NoHosts:false PidsLimit:2048 PidNS:private SeccompProfile:/usr/share/containers/seccomp.json ShmSize:65536k TZ: Umask:0022 UTSNS:private UserNS:host UserNSSize:65536} Engine:{CgroupCheck:false CgroupManager:systemd ConmonEnvVars:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] ConmonPath:[/usr/libexec/podman/conmon /usr/local/libexec/podman/conmon /usr/local/lib/podman/conmon /usr/bin/conmon /usr/sbin/conmon /usr/local/bin/conmon /usr/local/sbin/conmon /run/current-system/sw/bin/conmon] DetachKeys:ctrl-p,ctrl-q EnablePortReservation:true Env:[] EventsLogFilePath:/run/user/1000/libpod/tmp/events/events.log EventsLogger:journald HooksDir:[/usr/share/containers/oci/hooks.d] ImageDefaultTransport:docker:// InfraCommand:/pause InfraImage:k8s.gcr.io/pause:3.2 InitPath:/usr/libexec/podman/catatonit LockType:shm MultiImageArchive:false Namespace: NetworkCmdPath: NoPivotRoot:false NumLocks:2048 OCIRuntime:crun OCIRuntimes:map[crun:[/usr/bin/crun /usr/sbin/crun /usr/local/bin/crun /usr/local/sbin/crun /sbin/crun /bin/crun /run/current-system/sw/bin/crun] kata:[/usr/bin/kata-runtime /usr/sbin/kata-runtime /usr/local/bin/kata-runtime /usr/local/sbin/kata-runtime /sbin/kata-runtime /bin/kata-runtime /usr/bin/kata-qemu /usr/bin/kata-fc] runc:[/usr/bin/runc /usr/sbin/runc /usr/local/bin/runc /usr/local/sbin/runc /sbin/runc /bin/runc /usr/lib/cri-o-runc/sbin/runc /run/current-system/sw/bin/runc]] PullPolicy:missing Remote:false RemoteURI: RemoteIdentity: ActiveService: ServiceDestinations:map[] RuntimePath:[] RuntimeSupportsJSON:[crun runc] RuntimeSupportsNoCgroups:[crun] RuntimeSupportsKVM:[kata kata-runtime kata-qemu kata-fc] SetOptions:{StorageConfigRunRootSet:false StorageConfigGraphRootSet:false StorageConfigGraphDriverNameSet:false StaticDirSet:false VolumePathSet:false TmpDirSet:false} SignaturePolicyPath:/etc/containers/policy.json SDNotify:false StateType:3 StaticDir:/home/gana/.local/share/containers/storage/libpod StopTimeout:10 TmpDir:/run/user/1000/libpod/tmp VolumePath:/home/gana/.local/share/containers/storage/volumes} Network:{CNIPluginDirs:[/usr/libexec/cni /usr/lib/cni /usr/local/lib/cni /opt/cni/bin] DefaultNetwork:podman NetworkConfigDir:/home/gana/.config/cni/net.d}} DEBU[0000] Using conmon: "/usr/bin/conmon" DEBU[0000] Initializing boltdb state at /home/gana/.local/share/containers/storage/libpod/bolt_state.db DEBU[0000] Using graph driver overlay DEBU[0000] Using graph root /home/gana/.local/share/containers/storage DEBU[0000] Using run root /run/user/1000/containers DEBU[0000] Using static dir /home/gana/.local/share/containers/storage/libpod DEBU[0000] Using tmp dir /run/user/1000/libpod/tmp DEBU[0000] Using volume path /home/gana/.local/share/containers/storage/volumes DEBU[0000] Set libpod namespace to "" DEBU[0000] [graphdriver] trying provided driver "overlay" DEBU[0000] overlay: mount_program=/usr/bin/fuse-overlayfs DEBU[0000] backingFs=btrfs, projectQuotaSupported=false, useNativeDiff=false, usingMetacopy=false DEBU[0000] Initializing event backend journald DEBU[0000] using runtime "/usr/bin/runc" DEBU[0000] using runtime "/usr/bin/crun" DEBU[0000] using runtime "/usr/bin/kata-runtime" INFO[0000] Setting parallel job count to 7 DEBU[0000] Called exists.PersistentPostRunE(podman --log-level debug container exists testtbox) DEBU Calling org.freedesktop.Flatpak.SessionHelper.RequestSession DEBU Starting container testtbox Error: failed to start container testtbox [gana@antares ~]$ I had to install podman-2.2.0-0.20.dev.git7c12967.fc34.x86_64.rpm as above. and that works I managed to enter a toolbox first time. I am new to toolbox. Sorry to ask some other questions. Q1) Am I to understand that 'toolbox' does not work, cannot be made to work as root? I get the following error if I try it Error: host directory cannot be empty Error: failed to create container testtbox Q2) How do I ensure that the container storage goes to /var/lib/containers instead of ~/.local/share/containers ? Q3) How can I make a toolbox commonly 'enter-able' by multipler users, ie share the toolbox / make global ? perhaps, like, convert it into a global podman container or a flatpak ? Q4) I had installed kata-runtime-1.11.1-1.fc33.1.x86_64 in some earlier attempt. Was that necessary ?
FEDORA-2020-7b6058fec9 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-7b6058fec9
Please check if 2.1.1-10 works for you. It resolved the ping_group_range permission denied issue for me for "podman run --net=host -it fedora bash".
submitted an upstream backport at https://github.com/containers/podman/pull/7915 as well.
Confirming that podman-2.1.1-10.fc33.x86_64.rpm does create toolbox and enters it
The below command just barfed many debug messages, and then ran to completion/sleep with no error. Had to press ctrl-C to end it. $ podman start --attach fedora-toolbox-33 gana@antares ~]$ podman start --attach fedora-toolbox-33 level=debug msg="Running as real user ID 0" level=debug msg="Resolved absolute path to the executable as /usr/bin/toolbox" level=debug msg="TOOLBOX_PATH is /usr/bin/toolbox" level=debug msg="XDG_RUNTIME_DIR is unset" level=debug msg="XDG_RUNTIME_DIR set to /run/user/1000" level=debug msg="Creating /run/.toolboxenv" level=debug msg="Monitoring host" level=debug msg="Path /run/host/etc exists" level=debug msg="Preparing to redirect /etc/host.conf to /run/host/etc/host.conf" level=debug msg="/run/host/etc/host.conf isn't a symbolic link" level=debug msg="Redirecting /etc/host.conf to /run/host/etc/host.conf" level=debug msg="Preparing to redirect /etc/hosts to /run/host/etc/hosts" level=debug msg="/run/host/etc/hosts isn't a symbolic link" level=debug msg="Redirecting /etc/hosts to /run/host/etc/hosts" level=debug msg="Preparing to redirect /etc/resolv.conf to /run/host/etc/resolv.conf" level=debug msg="/run/host/etc/resolv.conf isn't a symbolic link" level=debug msg="Redirecting /etc/resolv.conf to /run/host/etc/resolv.conf" level=debug msg="Binding /etc/machine-id to /run/host/etc/machine-id" level=debug msg="Creating /run/libvirt" level=debug msg="Binding /run/libvirt to /run/host/run/libvirt" level=debug msg="Creating /run/systemd/journal" level=debug msg="Binding /run/systemd/journal to /run/host/run/systemd/journal" level=debug msg="Creating /run/udev/data" level=debug msg="Binding /run/udev/data to /run/host/run/udev/data" level=debug msg="Creating /tmp" level=debug msg="Binding /tmp to /run/host/tmp" level=debug msg="Creating /var/lib/flatpak" level=debug msg="Binding /var/lib/flatpak to /run/host/var/lib/flatpak" level=debug msg="Creating /var/log/journal" level=debug msg="Binding /var/log/journal to /run/host/var/log/journal" level=debug msg="Creating /sys/fs/selinux" level=debug msg="Binding /sys/fs/selinux to /usr/share/empty" level=debug msg="Path /run/host/monitor exists" level=debug msg="Preparing to redirect /etc/localtime to /run/host/monitor/localtime" level=debug msg="/run/host/monitor/localtime isn't a symbolic link" level=debug msg="Redirecting /etc/localtime to /run/host/monitor/localtime" level=debug msg="Preparing to redirect /etc/timezone to /run/host/monitor/timezone" level=debug msg="/run/host/monitor/timezone isn't a symbolic link" level=debug msg="Redirecting /etc/timezone to /run/host/monitor/timezone" level=debug msg="Looking up group for sudo" level=debug msg="Group for sudo is wheel" level=debug msg="Modifying user gana with UID 1000:" level=debug msg=usermod level=debug msg=--append level=debug msg=--groups level=debug msg=wheel level=debug msg=--home level=debug msg=/home/gana level=debug msg=--shell level=debug msg=/bin/bash level=debug msg=--uid level=debug msg=1000 level=debug msg=gana level=debug msg="Removing password for user gana" level=debug msg="Removing password for user root" passwd: Note: deleting a password also unlocks the password. level=debug msg="Setting KCM as the default Kerberos credential cache" level=debug msg="Finished initializing container" level=debug msg="Creating runtime directory /run/user/1000/toolbox" level=debug msg="Creating initialization stamp /run/user/1000/toolbox/container-initialized-26558" level=debug msg="Going to sleep" Ctrl-C [gana@antares ~]$ toolbox enter ⬢[gana@toolbox ~]$ cat /proc/sys/net/ipv4/ping_group_range 65534 65534 Ctrl-D [gana@antares ~]$ cat /proc/sys/net/ipv4/ping_group_range 0 2147483647
Looks fixed here too, toolbox reset; toolbox create; toolbox enter
still not work for me toolbox reset toolbox create [martin@localhost ~]$ toolbox enter Error: failed to start container fedora-toolbox-33
[martin@localhost ~]$ podman start --attach fedora-toolbox-33 Error: unable to start container db2361341a77fb56d8bdb5a82e9455afe31de6eed9d251c94750172d84f41f1c: error creating systemd unit `libpod-db2361341a77fb56d8bdb5a82e9455afe31de6eed9d251c94750172d84f41f1c.scope`: got `failed`: OCI runtime error
toolbox reset export DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$(id -u)/bus toolbox enter than works ok but after reboot its fail again
Martin, maybe make sure you're up to date? Especially podman*-2.1.1-10 I just had to do a normal clean update to pick it up, nothing special. dnf clean all ; dnf update
Version-Release number of selected component (if applicable): podman-2.1.1-10.fc33.x86_64 podman-plugins-2.1.1-10.fc33.x86_64 toolbox-0.0.96-1.fc33.x86_64 container-selinux-2.145.0-1.fc33.noarch containernetworking-plugins-0.8.7-1.fc33.x86_64 containers-common-1.2.0-3.fc33.x86_64 crun-0.15-5.fc33.x86_64
system: win10- > virtualbox -> f33 Something weird going on with the graphical-target and multi-user.target as well as presence/attempts of other podman containers At first everything was working okay, tool-box working inside gnome-terminal. Then ) logged in ctrl-alt-f4 linux-consle ) checked toolbox was working in linux console ) at this point I even verified that even if 'unset DBUS_SESSION_BUS_ADDRESS' 'toolbox enter' was done 'toolbox enter' would work ) exited the GUI login ) logged in via linux-console again ) systemctl isolate multi-user.target ) logged out linux-console, logged in linux-console again ) at this point toolbox enter stopped working in linux console (as if toolbox enter was somehow dependent on GUI) ) systemctl isolate multi-user.target ) logged in GUI ) checked toolbox reset create enter works in GUI ) checked toolbox enter fails in linux-console ) rebooted machine ) didn't work in linuxconsole, nor was reliable in gui, ) discovered I had a podman samba set as a systemctl service, which I have been also experimenting with. ) stopped the service, disabled/removed the service, podman reset ) rebooted ) then toolbox create, enter worked again in both linux console and GUI gnome-terminal so working again, but all this trouble should not happen.
typo: step before logged-in-GUI should have been systemctl isolate graphical.target.
FEDORA-2020-7b6058fec9 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.